Fluid Attacks Database

Description

Empty Cmd.Path can trigger unintended binary in os/exec on Windows On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.17.11	1.17.11

Aliases

1. CVE-2022-305802. NVD-2022-305803. OSV-GO-2022-05324. OSV-2022-305805. GCVE-2022-30580

References

1. https://go.dev/cl/4037592. https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e3. https://go.dev/issue/525744. https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.